12

I want to authenticate django web user using windows domain account (active directory) who currently logged in to computer. How can I do this without prompting user to enter username/password again since he is already logged in using domain account to his system. I am using django and python 2.7. I went through following link but dint understand how to use it in my views. Please help me.

Thanks

Sharadhi Ballal
  • 633
  • 2
  • 11
  • 26

2 Answers2

13

When the Web server (here django hosted on IIS) takes care of authentication it typically sets the REMOTE_USER environment variable for use in the underlying application. In Django, REMOTE_USER is made available in the request.META attribute. Django can be configured to make use of the REMOTE_USER value using the RemoteUserMiddleware and RemoteUserBackend classes found in django.contrib.auth. Configurations You must add the django.contrib.auth.middleware.RemoteUserMiddleware to the MIDDLEWARE_CLASSES setting after the django.contrib.auth.middleware.AuthenticationMiddleware:

MIDDLEWARE_CLASSES = (
    ...
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.RemoteUserMiddleware',
    ...
    )

Next, you must replace the ModelBackend with RemoteUserBackend in the AUTHENTICATION_BACKENDS setting:

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.RemoteUserBackend',
)

With this setup, RemoteUserMiddleware will detect the username in request.META['REMOTE_USER'] and will authenticate and auto-login that user using the RemoteUserBackend.

(More info https://docs.djangoproject.com/en/1.5/howto/auth-remote-user/ )

To get REMOTE_USER in request do the following IIS settings:

1.In Control Panel, click Programs and Features, and then click Turn Windows features on or off.

2.Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Windows Authentication.

IIS Manager

  1. Open IIS Manager and navigate to the level you want to manage.
  2. In Features View, double-click Authentication.
  3. On the Authentication page, select Windows Authentication.
  4. In the Actions pane, click Enable to use Windows authentication. (More info)
xedge
  • 3
  • 5
Sharadhi Ballal
  • 633
  • 2
  • 11
  • 26
  • 1
    On windows its returning DOMAIN\username. How do I go about dropping the DOMAIN part when passing to django? – Danny Cullen Jun 10 '16 at 08:16
  • 1
    Managed to do it by overriding RemoteUserBackend.clean_username() – Danny Cullen Jun 10 '16 at 08:33
  • 1
    @DannyCullen where do yo place the override? – Radek Nov 14 '16 at 12:01
  • I actually wrote my own authentication_backend - http://stackoverflow.com/questions/27681987/django-how-to-override-authenticate-method - http://pastebin.com/eCaAVUR6 – Danny Cullen Nov 14 '16 at 12:14
  • 1
    This was immensely helpful and I wanted to throw in some IIS tips that I had to discover elsewhere to actually get this going: First, this is a feature you'll have to install with IIS Roles and Features: https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/authentication/windowsAuthentication/ Next, you may have to run IIS Manager as administrator for the Windows Authentication option to appear after you've installed the Feature. – Patrick Keenan Aug 08 '17 at 02:19
  • Hi Terribly sorry for the "thread necrophilia" but on a scale from 1 to 10 how safe is this option? It seems like an easy way to create a Corporate Web App but I am concerned about security? Theoretically it should be an Apache Variable only read by the browser right? – Tackgnol Oct 10 '17 at 09:03
  • This worked very well for me with one addition: i had to disable anonymous authentication in IIS or the REMOTE_USER parameter appeared as empty – Joris Sep 19 '18 at 13:08
  • 1
    How do I add a new user into Django panel? It requires me a password! – decadenza Jan 16 '19 at 16:49
0

Check out this module https://pypi.org/project/django-windowsauth/

You can use it module to deploy your Django Project on IIS and enable Windows Authentication. It can also handle synchronize extra user information from Active Directory, and some other neat features.

Dan Yishai
  • 726
  • 3
  • 12